Fwd: Re: [xacml] Fwd: [sunxacml-discuss] hierarchical resources

[Anne.Anderson@Sun.COM]

--- Begin Message ---

• From: bill parducci <bill@pier64.com>
• To: Anne.Anderson@Sun.COM
• Date: Sun, 01 Feb 2004 08:09:50 -0800 (PST)

> The ultimate goal:  issue a single request to a PDP with a role
> identifier and a resource-id which is the root of a web application
> (e.g. http://yossarian:8081/DeonticProto), and receive a Result back for
> each resource the role is permitted to see.  Each view of the app (a URL
> under the root) will have a page descriptor instance associated with
> it.  This page descriptor file will be some XML vocabulary that is still
> evolving (RDF might be involved).  It will basically define everything
> in a page that is subject to access control, in a hierarchical manner.
> For example, a page can be split up into "container" objects, which can
> then include items such as form elements or other data.  So, the
> resource hierarchy we're dealing with is at the page level first (under
> the root URL), and each page has its own hierarchical structure defined
> by this descriptor vocabulary (an XML document).

perhaps i am reading this incorrectly, but the first thought that comes to
mind is a shift of responsiblities. while it might be possible with a
single resource, what i think would likely end up happening is the pdp
would have to in effect send back a PERMIT with a whole gob of obligations
(since the PDP won't know what the parameters of an actual decision will
be it technically cannot implement conditions). this then would lead to
the PEP having to perform conditional analysis and i think that kinda
breaks the model.

i am not saying that it can't work, but it seems to be inconsitent with
model we have been working under to date.

b

p.s. at a conference right now and on 'life line' e-mail so can't post to
list (if you feel like responding publically ;o)

--- End Message ---